PSA: A malicious download for Comet browser by Perplexity is currently being advertised via Google Ads.

At DataDome we are seeing more and more traffic coming from AI agents and browsers. Criminals are taking notice and buying ads related to Agentic browsers (another malicious campaign for Arc browser is also running).

Malicious ad ➡️ cometswift[.]com ➡️ perplexity[.]page ➡️ GitHub

Payload: hxxps[://]github[.]com/richardsuperman/musical-engine/releases/download/beta/comet_latest[.]msi
Command and Control (C2) server: icantseeyou[.]icu
VirusTotal: https://www.virustotal.com/gui/file/64562a0f1eabfcfb754426020021da69fe31bb551a653d143d75649252c61050

#malvertising #cometbrowser

Large scale Google Ads campaign targets utility software

https://www.malwarebytes.com/blog/news/2024/10/large-scale-google-ads-campaign-targets-utility-software

Fake Disney+ activation page redirects to pornographic scam
https://www.malwarebytes.com/blog/scams/2024/10/fake-disney-activation-page-redirects-to-pornographic-scam

#malvertising Obsidian

@Lee_Holmes @briankrebs for better or worse PowerShell has become somewhat associated with malicious activity (for those in the security space looking at malware).

Remote desktop applications have also inherited a bad reputation as scammers often use them.

But you are absolutely correct, getting the user to do anything at this point is the issue.

@screaminggoat @da_667 @malware_traffic adding @rmceoin

Walmart customers scammed via fake shopping lists, threatened with arrest

https://www.malwarebytes.com/blog/scams/2024/09/walmart-customers-scammed-via-fake-shopping-lists-threatened-with-arrest

Credit card 'img' skimmer domain:

trendgurupro[.]com

Part of this campaign: https://www.malwarebytes.com/blog/news/2024/08/hundreds-of-online-stores-hacked-in-new-campaign

Scammers advertise fake AppleCare+ service via GitHub repos
https://www.malwarebytes.com/blog/scams/2024/09/scammers-advertise-fake-applecare-service-via-github-repos

@Ericlaw is Internet Explorer still being used or is that the default title header?

Malicious Google Ads for Apple suport

hxxps[://]applescustomerservice24x7care1102[.]vercel[.]app/

hxxps[://]apples24x7-customersupporthelp[.]github[.]io/saf/

Malicious Google Ad for WinSCP

winscp[.]corysound[.]com
winscpp[.]net
badlink58[.]com/wp-includes/fonts/WinSCP-6.3.4.zip

Malicious Google ad for Microsoft Support

hxxps[://]microsft-customer-helpline[.]vercel[.]app

New blog: Lowe’s employees phished via Google ads

https://www.malwarebytes.com/blog/news/2024/09/lowes-employees-phished-via-google-ads

Malicious Google Ad for Cisco AnyConnect

cisco[.]com[.]gruaselpiojito[.]com[.]mx

cisco[.]com[.]gruaselpiojito[.]com[.]mx/download/cisco-secure-client-win-5[.]0[.]05040-core-vpn-predeploy-k9[.]exe

NetSupport RAT, C2: sivacycle[.]com

https://www.virustotal.com/gui/file/c432721a5077fb5232a07d9a1e23c03bee715eb9e3ac80d3bf971f1910e5215c

Fake Canva home page leads to browser lock

https://www.malwarebytes.com/blog/scams/2024/08/fake-canva-home-page-leads-to-browser-lock

@Lee_Holmes Not really, but I just started digging into this more recently so I suspect there are many variations of it.

Come to think of it, it's just a form of spam, looking for any way they can inject data into legitimate/official sources.

Malicious Google ad for Zoom

pacificfisherman[.]com
zoomi[.]company
zoomi[.]company/Zoom[.]exe

https://www.virustotal.com/gui/file/21b075ff9da7d425ad8c44c0c7104d7ca3ae9834fb539a3de840bd30a2a93db6

SocGholish/FakeUpdates

jswebcloud[.]com
premium[.]davidabostic[.]com

C2: contest[.]printondemandmerchandise[.]com

@Lee_Holmes thanks, I'm glad it's not just disabling one URL at a time, but an entire account.

Here's the larger campaign I was talking about. Not sure what MSFT can do about it, but it's a real issue: https://www.malwarebytes.com/blog/scams/2024/08/psa-these-microsoft-support-ploys-may-just-fool-you